Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Social engineering used to refer to large-scale campaigns to alter the attitudes or behaviour of a population. These days, cyber specialists use it to mean something else: manipulating individuals into performing actions or divulging information that can enable criminals to hack into IT networks — where they can steal data, shut down systems and extort. The costs can be huge. For Marks and Spencer, one of Britain’s biggest retailers, a cyber attack that began last month is expected to knock as much as £300mn off its annual operating profit, and has wiped about £750mn from its market value.
M&S revealed last week that cyber criminals accessed its systems using social engineering tactics via a third-party supplier, which typically means duping IT staff into changing passwords or resetting authentication processes. The retailer has had to shut down online clothing sales for weeks and warn millions of customers that personal data, though not bank details, had been stolen. Trust in its brand is on the line, though M&S shoppers seem a loyal bunch. But it is not alone. The Co-op grocery group and Harrods department store have been fending off attacks too.
All these cyber incidents share characteristics associated with a loose community of “threat actors” known as Scattered Spider. Hackers linked to the network were behind attacks on MGM Resorts and Caesars Entertainment in the US in 2023. Google Threat Intelligence researchers have warned that US retailers may be their next target.
Unlike groups often responsible for cyber crimes in the past from Russia and former Soviet states, hackers in this community include English speakers based in the UK and the US. Their hallmark is staging ransomware attacks based on manipulating human beings as much as systems, using hard-to-counter social engineering techniques. These range from impersonating or intimidating key employees — whose backgrounds they have researched — and persuading IT desks to reset passwords, to “SIM swapping” or taking control of a phone, including by conning mobile operators, to intercept verification codes. AI threatens to magnify their capabilities.
The broad lessons of the recent attacks are that even the biggest brands, and well-prepared ones, are not immune; the “human factor” is always a vulnerability. M&S says it boosted cyber security investment by 75 per cent in the previous year and quadrupled its cyber security team over the past two-and-a-half years, and insists it “didn’t leave the door open”. Businesses that outsource many functions to third parties or have extended supply chains are especially exposed: they have the largest “attack surface”, and security is only ever as strong as the weakest link.
Law enforcement bodies need to step up action against this cross-border threat, but have made some progress; five alleged Scattered Spider members were charged in the US last year. Companies also need to take steps to harden their defences. First, recognise the reality of the risk, and make it a board-level priority and capability. Beef up ID and access controls, for example to require on-camera verification or “challenge” questions, and continually train staff to recognise evolving techniques and suspicious signs. Require similar standards from third-party suppliers, and make sure contractual obligations are being adhered to; map and audit risks across the whole supply chain. Finally, have an incident response plan that is regularly rehearsed and updated.
Ransomware attackers once focused on critical infrastructure such as hospitals or power grids — in hope that operators desperate to keep things running would quickly pay up — but are turning more to commercial companies. Protecting against them is a highly unwelcome extra cost of business. But, as with prevention in many other fields, the cost of failing to do so can be much higher.